Adobe ColdFusion Zero-Day Exploited: Patch Deadline Already Missed
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. July 14, 2026
cybr.cx Daily Digest — July 14, 2026
Critical Vulnerabilities
⚠️ Actively exploited — CVE-2026-48282 | Adobe ColdFusion | CVSS: N/A (KEV listed)
Adobe ColdFusion contains a path traversal vulnerability enabling arbitrary code execution in the context of the current user. This is confirmed actively exploited in the wild and carries a CISA remediation deadline that has already passed (July 10). If you're running ColdFusion in any internet-facing capacity, treat this as a fire drill — patch or isolate now.
⚠️ Actively exploited — CVE-2026-56291 | Balbooa Forms (Joomla) | CVSS: N/A (KEV listed)
Unauthenticated attackers can upload arbitrary executable files through Balbooa Forms, leading to full remote code execution. No authentication required makes this trivially weaponisable at scale. Deadline was July 13 — any exposure here is overdue for remediation.
⚠️ Actively exploited — CVE-2026-48939 | iCagenda (Joomla) | CVSS: N/A (KEV listed)
The file attachment feature in iCagenda allows unrestricted file uploads including PHP code, resulting in remote code execution. Another Joomla ecosystem entry this week — operators running community or event-focused Joomla sites should audit installed extensions immediately.
⚠️ Actively exploited — CVE-2026-48908 | JoomShaper SP Page Builder | CVSS: N/A (KEV listed)
Unauthenticated arbitrary file upload leads to PHP code execution in SP Page Builder. Three Joomla-ecosystem plugins in the KEV simultaneously signals active, possibly coordinated, campaign activity targeting Joomla installations. Review web server logs for suspicious POST requests to upload endpoints.
⚠️ Actively exploited — CVE-2026-55255 | Langflow | CVSS: N/A (KEV listed)
An authenticated attacker can execute any flow belonging to another user simply by specifying the victim's flow ID in the request — a trivial horizontal privilege escalation in an AI workflow platform increasingly deployed in enterprise environments. Given how Langflow is often wired into internal tooling and data pipelines, lateral access here could be deeply consequential.
⚠️ Actively exploited — CVE-2026-56290 | Joomlack Page Builder | CVSS: N/A (KEV listed)
Unauthenticated arbitrary file upload enabling remote code execution. Functionally identical to the other Joomla page builder entries this week — the pattern here strongly suggests threat actors are running broad scans across Joomla plugin fingerprints.
⚠️ Actively exploited — CVE-2008-4128 | Cisco IOS 12.4 | CVSS: N/A (KEV listed)
A nearly 18-year-old CSRF vulnerability in Cisco IOS 12.4 that allows remote attackers to execute arbitrary commands via crafted requests to the HTTP management interface is — somehow — still being exploited in 2026. If you have any IOS 12.4 devices still in production, this is a good moment to have an uncomfortable conversation with your network team. CISA's remediation deadline is July 16.
CVE-2026-15548 | Shibby Tomato ≤ 1.28.0000 | CVSS: 8.8 — HIGH
A remotely exploitable stack-based buffer overflow in the DNS list rendering component of Shibby Tomato's HTTP daemon. While this firmware project is officially superseded by FreshTomato, legacy hardware running old Tomato builds is common in home labs and small offices — attackers don't care about end-of-life status.
CVE-2026-49972 | Laravel-Mediable < 7.0.0 | CVSS: 8.8 — HIGH
Unauthenticated attackers can achieve remote code execution by uploading a double-extension file (e.g., shell.php.jpg). The library's PATHINFO_FILENAME extraction preserves the inner .php extension, and on misconfigured Apache or nginx servers the file executes as PHP. Any Laravel application using Mediable for file handling should upgrade to 7.0.0 immediately.
CVE-2026-49970 | Laravel-Mediable < 7.0.0 | CVSS: 8.8 — HIGH
A companion to the above: a path traversal in File::sanitizePath() allows attackers controlling the destination directory argument to write uploaded files to arbitrary filesystem locations. Combine with CVE-2026-49972 and you have a clean, unauthenticated write-then-execute chain.
CVE-2026-9492 | Gigabyte Control Center (GCC) | CVSS: 7.8 — HIGH
The MBStorage DRAM lighting control module ships a driver (MyPortIO_x64.sys) that permits authenticated local attackers to send arbitrary IOCTL commands, enabling read/write of physical memory and full kernel privilege escalation. Gaming-adjacent software with kernel drivers continues to be a rich target for local privilege escalation — particularly relevant in environments where GCC is deployed on developer workstations.
CVE-2026-15584 | OpenShift incluster-checks | CVSS: 7.5 — HIGH
The incluster-checks diagnostic tool creates privileged debug pods with host filesystem access in the default namespace, where any user with the standard edit role can exec in and obtain root on cluster nodes. This is a textbook case of a debugging tool creating a worse security posture than the problem it was diagnosing.
CVE-2026-49969 | Laravel-Mediable < 7.0.0 | CVSS: 7.4 — HIGH
Server-side request forgery via unvalidated caller-controlled URLs passed to MediaUploader::fromSource(). Attackers can reach RFC-1918 addresses, loopback interfaces, cloud metadata endpoints (think IMDS), or file:// URIs. In cloud-hosted Laravel applications this could expose instance credentials.
Headline News
Ryuk Ransomware Operator Pleads Guilty
Karen Serobovich Vardanyan, a 34-year-old Armenian national, has pleaded guilty in a U.S. federal court for his role in deploying Ryuk ransomware against American organisations, facing up to 15 years in prison. Ryuk was one of the most destructive ransomware operations of the early 2020s, responsible for hundreds of millions of dollars in damages across healthcare, government, and critical infrastructure targets. The group was closely associated with the TrickBot ecosystem and Wizard Spider threat actor cluster, operating a sophisticated affiliate model long before RaaS became ubiquitous. The prosecution underscores continued U.S. government commitment to pursuing ransomware actors across jurisdictions — and serves as a reminder that attribution and extradition timelines in cybercrime cases are long but not infinite.
Leaked SFPD Drone Footage Reveals Scope of Urban Aerial Surveillance
Leaked footage from San Francisco Police Department drone operations has surfaced publicly, offering a ground-level view of how extensively aerial surveillance is being deployed in a major U.S. city. The material illustrates persistent overwatch capabilities that go significantly beyond what public disclosures had suggested — including coverage of protests, routine street activity, and private spaces visible from altitude. For security practitioners, the leak itself is notable: drone footage management systems represent an emerging class of sensitive operational data that organisations are often not treating with appropriate access controls or data governance. The incident arrives as LAPD separately allowed its contract with licence plate and surveillance network operator Flock Safety to expire, citing civil liberties concerns — suggesting growing institutional friction around the aggregation of urban sensor data even within law enforcement.
Schrödinger's Feed
Physicists at Heinrich Heine University Düsseldorf, collaborating with the German Aerospace Center, have published findings in Physical Review Letters challenging a foundational assumption about quantum mechanics — specifically, that the theory does not necessarily require its standard mathematical formulation to hold universally. This is the kind of result that sounds abstract until you consider that post-quantum cryptography standards are built on assumptions about what quantum computers can and cannot do efficiently. If the mathematical scaffolding of quantum mechanics admits alternative formulations, the boundary conditions for cryptographically relevant quantum advantage may need revisiting. Practitioners invested in PQC migration timelines should watch this space — not with alarm, but with the recognition that the theoretical ground is still shifting beneath the engineering.
/dev/random
Apple's new SpeechAnalyzer API got benchmarked this week against OpenAI's Whisper and Apple's own previous speech recognition stack — and the results were interesting enough to generate significant practitioner attention. The benchmark revealed that Apple's on-device model achieves competitive transcription accuracy while keeping all audio processing local, with no network egress, which is either a privacy win or a convenient talking point depending on your threat model. The more quietly amusing detail: the previous Apple speech API, which many developers had been wrestling with for years, was outperformed by its own successor on nearly every metric, suggesting the old API was perhaps more of a historical artefact than a deliberate design. Sometimes the scariest vulnerability is the one your own platform shipped five years ago and quietly deprecated without telling anyone.